Home Depot to Pay Banks $25 Million in Data Breach Settlement

Home Depot has taken another step to move on from its colossal 2014 data breach, which involved hackers stealing email or credit card information from more than 50 million customers by infiltrating self check-out terminals.

In a new settlement with dozens of banks, the retailer has agreed to pay $25 million for damages they incurred as a result of the breach, one of the biggest in history.

The settlement, filed this week in federal court in Atlanta, also requires Home Depot to tighten its cyber-security practices and to subject its vendors to more scrutiny—a measure tied to the fact that a security flaw by a third-party payment processor made the hacked self-checkout terminals vulnerable.

"We’re pleased to have moved through this phase of resolution," said Stephen Holmes, a spokesman at Home Depot.

The settlement and related legal proceedings are important because they show how payment-related breaches put companies on the hook not just to consumers, but to banks and the credit card industry. Indeed, court filings show Home Depot has paid far more to the financial industry than to consumers.

In addition to this week's $25 million settlement, Home Depot has also paid at least $134.5 million in compensation to consortiums made up of Visa, MasterCard, and various banks.

On the consumer side, Home Depot last year agreed to a $19.5 million settlement to affected customers that included a $13 million cash fund as well as credit monitoring services.

The discrepancy between the payments to consumers and banks arises because the latter can show clear damages from the breach, such as fraudulent transactions and lost credit card fees. Consumers, on the other hand, were made good for any unauthorized purchases.

Meanwhile, the issue of what—if anything—consumers should get for loss of their data or privacy is the subject of ongoing debate in light of an ambiguous Supreme Court decision last year.

For Home Depot, the cost of the breach is at least $179 million based on the figures in the court documents. The final total, though, is likely to be much higher because of legal fees and any other undisclosed payouts. Last year, the company said it had set aside $161 million, taking account of insurance, to cover the cost of the breach.

Today, cyber-risk remains a huge concern for companies, which must guard not only internal computer networks, but also a sprawling number of third-party vendors that can connect to their systems.

The worry over vendor risk, however, may have just become easier to manage thanks to a new cyber-risk clearinghouse, which debuted this week with the backing of Blackstone and other large companies. The service makes it much easier to evaluate and monitor the cyber-security practices of thousands of vendors.